IFB240 Cyber Security Lecture Notes PDF
Document Details
Uploaded by MagnificentAlder9160
Queensland University of Technology
2024
Dr Leonie Simpson
Tags
Summary
This document is a lecture from a cyber security class, IFB240, on the topic of privacy and information. It covers definitions, legal considerations, and details the Commonwealth Privacy Act 1988. It also discusses the importance of personal information and privacy legislation.
Full Transcript
IFB240 Cyber Security Lecture 6 – Part A Privacy and information Dr Leonie Simpson [email protected] Sem 2 2024 IFB240 Cyber Security 1 What is privacy? https://...
IFB240 Cyber Security Lecture 6 – Part A Privacy and information Dr Leonie Simpson [email protected] Sem 2 2024 IFB240 Cyber Security 1 What is privacy? https://www.theguardian.com/australia-news/2023/aug/08/australia-cybersecurity-laws-hacks-optus-medibank-privacy-data-breach https://www.brisbanetimes.com.au/national/queensland/uq-students-raise-privacy-concerns-over-third-party-exam-platform-20200419-p54l77.html https://www.theguardian.com/technology/2015/nov/30/vtech-toys-hack-private-data-parents-children Sem 2 2024 IFB240 Cyber Security 2 What is privacy? Definition – “A state in which one is not observed or disturbed by other people, the state of being free from public attention” Oxford dictionary – “the interest that individuals have in sustaining 'personal space', free from interference by other people and organisations” Roger Clarke (member of the Australian Privacy Foundation) http://www.rogerclarke.com/DV/Intro.html Sem 2 2024 IFB240 Cyber Security 3 What is privacy? Interpretation of privacy depends on context – Roger Clarke’s dimensions of privacy Privacy of the person – Physical or bodily privacy: about the integrity of the body and consent to physical procedures Privacy of personal behaviour – Including political, religious and sexual practices and preferences Privacy of personal communications – Being able to communicate with other individuals without routine monitoring by others Privacy of personal data – Control over personal data and how it will be used, even when it is held by another organisation Privacy of personal experience – Experience monitored and analysed: reading, viewing, interactions Sem 2 2024 IFB240 Cyber Security 4 Privacy and information Some of these dimensions relate to information Personal communications Are your communications monitored by other people or organisations? - Who, how, why, which details? Personal data Are your personal details available to others? – Who? How? Personal experience Are details of your personal experiences available to others? - Who, how, why? Q: Who should have access to your personal information? – Ongoing debate about public interest v’s individual rights Q: When can you be anonymous (not identified) in interactions? Sem 2 2024 IFB240 Cyber Security 5 Privacy and information How much personal information about You Your communications Your personal experiences is collected, stored and used by others? Think about your activities today, and the data footprint you have generated – Where is that data held? – How much control do you have over it? – Can those with your personal information do whatever they want with it? Sem 2 2024 IFB240 Cyber Security 6 Privacy and information security Recall (from L3) that info sec risk management process involves establishing the context, considering – External context – Internal context – Risk management context Define risk criteria For risk evaluation, consider – Strategic value of asset – Criticality of asset – Legal, regulatory or contractual obligations – Reputation Sem 2 2024 IFB240 Cyber Security 7 Personal information used in organisations Q: Are there legal considerations? A: Australia has specific privacy legislation – At the federal level (Commonwealth of Australia) Commonwealth Privacy Act 1988 & subsequent amendments: – Privacy Amendment (Private Sector) Act 2000 – Privacy Amendment (Enhancing Privacy Protection) Act 2012 – Privacy Amendment (Notifiable Data Breaches) Act 2017 – At the state level (State of Queensland) Information Privacy Act 2009 (Qld) As do other countries and regions – e.g.Europe GDPR Sem 2 2024 IFB240 Cyber Security 8 Personal information and privacy legislation Federal legislation Commonwealth Privacy Act 1988 – Deals with privacy of personal information – personal information defined as "... information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion." – Examples Name, address, date of birth, photos, medical records, bank account details, … – Regulates how your personal information can be collected, used, and disclosed, and how it should be maintained Sem 2 2024 IFB240 Cyber Security 9 Personal information and privacy legislation Federal legislation Commonwealth Privacy Act – Defines sensitive information as: –... information or an opinion (that is also personal information), about an individual’s: racial or ethnic origin political opinions membership of a political association religious beliefs or affiliations philosophical beliefs membership of a professional or trade association, or of a trade union sexual orientation or practices, or criminal record – Health information about an individual – Genetic information (that is not otherwise health information) – Biometric information used for the purpose of automated biometric verification or biometric identification, or – Biometric templates Sem 2 2024 IFB240 Cyber Security 10 Personal information and privacy legislation Federal legislation – Brief history Commonwealth Privacy Act 1988 Applied to – Commonwealth and ACT government agencies Did not apply to – State or Northern Territory government agencies – Non-government organisations Agencies had to comply with – 11 Information Privacy Principles (Section 14) – Tax file number guidelines (Section 17) Sem 2 2024 IFB240 Cyber Security 11 Personal information and privacy legislation Federal legislation – brief history Much personal information held by non-government organisations – Commonwealth Privacy Act 1988 did not apply to these Privacy Amendment (Private Sector) Act 2000 – Extended coverage of the Privacy Act to parts of the private sector, including all private health service providers – These had to comply with 10 National Privacy Principles – Similar to the 11 Information Privacy Principles in the original Commonwealth Privacy Act – Some organisations exempt (conditions apply) – Small business with turnover < $3,000,000 per annum, … Sem 2 2024 IFB240 Cyber Security 12 Personal information and privacy legislation Federal legislation – brief history Amendment (Enhancing Privacy Protection) 2012 – Came into effect on 12 March 2014 – One set of principles that applied to Australian federal government agencies, ACT and Norfolk Island government agencies, Private-sector businesses with annual turnover > $3million All private sector health service providers – 13 Australian Privacy Principles, grouped into five parts: 1. Consideration of personal information privacy 2. Collection of personal information 3. Dealing with personal information 4. Integrity of personal information 5. Access to, and correction of, personal information Sem 2 2024 IFB240 Cyber Security 13 Personal information and privacy legislation Federal legislation – brief history Privacy Amend (Notifiable Data Breaches) Act 2017 – Applies to all agencies and organisations with privacy obligations under APPs Note: this does not cover all organisations holding data – If breach is likely to result in serious harm, have obligation to notify both Individuals whose personal information is involved – Need to make assessment of likelihood of harm Australian Information Commissioner – Obligation to notify is from 22 February 2018 Sem 2 2024 IFB240 Cyber Security 14 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 1: Consideration of personal information privacy – APP1 – Open and transparent management of personal information Must manage personal info in an open & transparent way – Take reasonable steps to comply with the APPs – Have clearly expressed and up to date policy about how they manage personal information (a Privacy Policy) – Make the privacy policy available free of charge and in appropriate form – APP2 – Anonymity and pseudonymity Individuals must have the option of not identifying themselves, or of using a pseudonym when dealing with an APP entity (but not if ‘impracticable’ for APP entity) Sem 2 2024 IFB240 Cyber Security 15 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 2: Collection of personal information – APP 3 – Collection of solicited personal information For personal information other than sensitive information, – Must not collect unless information is reasonably necessary For sensitive information about an individual, – Must not collect unless individual consents and the info is reasonably necessary – Some exemptions to this (if required by law, permitted health situation, …) Must collect personal information – Only by lawful and fair means – Only from the individual (some exemptions for this) Sem 2 2024 IFB240 Cyber Security 16 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments – Part 2: Collection of personal information (cont’d) APP 4 – Dealing with unsolicited personal information » If the organization could not have collected the information under APP3 and information is not contained in a Commonwealth record, then information must be destroyed or de-identified » If the organization could have collected the information then APPs apply as if info was collected APP 5 – Notification of collection of personal information Sem 2 2024 IFB240 Cyber Security 17 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 3: Dealing with personal information – APP 6 – Use or disclosure of personal information Information collected for a particular purpose cannot be used or disclosed for another purpose, unless: – Individual consented – Reasonable expectation info used for that purpose, … – Required by law , etc – APP 7 – Direct marketing Must not use or disclose personal information for direct marketing – Some exceptions for personal info other than sensitive Must be able to request not to receive direct marketing communications Sem 2 2024 IFB240 Cyber Security 18 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 3: Dealing with personal information – APP 8 – Cross-border disclosure of personal information Before personal information disclosed to recipient overseas, must take reasonable steps to ensure recipient doesn’t breach APPs – Some exemptions – APP 9 – Adoption, use or disclosure of government related identifiers Cannot use government related identifier as own identifier, unless – Required or authorised by law (or some regulations) Cannot use or disclose government related identifier, unless – Necessary for organisation functions or obligations to authority – Use required by law, etc Sem 2 2024 IFB240 Cyber Security 19 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 4: Integrity of personal information – APP 10 – Quality of personal information Must take reasonable steps to ensure personal information – collected is accurate, up to date and complete. – used or disclosed is accurate, up to date, complete and relevant – APP 11 – Security of personal information Must take reasonable steps to protect the information – From misuse, interference and loss; and – From unauthorised access, modification or disclosure – Need to consider infosec requirements for C, I, A & access control Personal information no longer needed, and not required to be retained should be destroyed or de- identified Sem 2 2024 IFB240 Cyber Security 20 Personal information and privacy legislation Commonwealth Privacy Act 1988 + Amendments Part 5: Access to, and correction of, personal information – APP 12 – Access to personal information If requested by individual, must give access to the personal information held Some exceptions (required by law to refuse, access poses a serious threat, would impact on the privacy of others, etc) – APP 13 – Correction of personal information Must correct if personal information is inaccurate, out of date, incomplete, irrelevant or misleading Must notify third parties of correction if info previously disclosed If information not corrected, must give written notice of reasons, and mechanisms available to complain Sem 2 2024 IFB240 Cyber Security 21 Personal information and privacy legislation State legislation States and privacy legislation Most Australian States have some form of privacy legislation for government agencies, or guidelines based on the federal legislation – Queensland Information Privacy Act 2009 https://www.legislation.qld.gov.au/LEGISLTN/CURRENT/I/InfoPrivA09.pdf – 11 Information Privacy Principles – Controls the way Qld government agencies handle information – Some exceptions » Some law enforcement functions, some Commissions, … Sem 2 2024 IFB240 Cyber Security 22 Personal information and privacy legislation Your privacy at Queensland University of Technology? QUT must comply with Information Privacy Act 2009 (Qld) – Details in QUT MOPP, Chapter F Information Management – Section 6.2 Information Privacy – Personal information includes » usernames, passwords, staff and student numbers – Format of recorded information includes » hard copy documents » electronic documents, databases » photographs and other images » staff/student identity cards Sem 2 2024 IFB240 Cyber Security 23 Personal information and privacy legislation European legislation General Data Protection Regulation (GDPR) – https://gdpr.eu/ – Adopted in the European Union in April 2016 Came into force on May 25, 2018 – Regulates the use of personal data, and gives individuals control over their personal data Information that allows a person to be identified (directly or indirectly) – Some special categories considered sensitive (similar to Aust) Applies to any organisation – within EU that controls or processes personal information, and – outside of EU that provides goods or services into EU countries Sem 2 2024 IFB240 Cyber Security 24 Personal information and privacy legislation European legislation GDPR requirements based on 7 principles 1. Lawfulness, fairness and transparency 2. Purpose limitation – for specified purposes only 3. Data minimization – only as much data as necessary 4. Accuracy – correct and up to date 5. Storage limitation – only as long as necessary 6. Integrity and confidentiality – ensure security 7. Accountability – must demonstrate GDPR compliance Sem 2 2024 IFB240 Cyber Security 25 Personal information and privacy legislation European legislation Principle 1: 1. Lawfulness, fairness and transparency Personal data may not be processed unless there is a lawful purpose: a) If the data subject has given consent to the processing; b) To fulfill contractual obligations with a data subject … c) To comply with a data controller's legal obligations; d) To protect the vital interests of a data subject or another individual; e) To perform a task in the public interest or in official authority; f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject Consent must be explicit for the data collected and the purpose it is used for Sem 2 2024 IFB240 Cyber Security 26 Personal information and privacy legislation European legislation GDPR recognizes privacy rights for data subjects 1. To be informed (of any data collection and their rights) 2. Of access (to their personal data and to know how it is being used) 3. To rectification (correct inaccuracies in personal data) 4. To erasure (‘to be forgotten’) 5. To restrict processing 6. To data portability (to receive information and have the right to transmit to another controller) 7. To object (to personal data being processed) 8. Rights in relation to automated decision making & profiling Sem 2 2024 IFB240 Cyber Security 27 Summary Information is an important asset – Includes personal data that can be used to identify individuals In Australia privacy laws cover how personal information – is collected, used, and how it may be disclosed – is kept (securely) – can be accessed Other regions have similar legislation – GDPR may apply in some cases (within and outside of EU) Similarities - not exactly the same, and tougher penalties for breaches Organisations have obligation to comply with applicable legislation – Need to know what legislation is applicable in your context Sem 2 2024 IFB240 Cyber Security 28